An increasingly important trend in healthcare is one of consumer/patient involvement at all levels of healthcare. People are taking a more active role in their own health management. This trend of patient empowerment has already been widely supported. A number of solutions have been introduced in the market that allow patients to collect their own health-related information and to store them on portable devices, PCs, and in online services (e.g. CapMed, WebMD, MedKey). These solutions are often referred to as Personal Health Record (PHR) services. Already a number of products in the market allow patients to automatically enter measurements and other medical data into their PHR (for example LifeSensor and Microsoft HealthVault). In such a system a weight-scale, for example, will send its information via Bluetooth to a PC from which the data is then uploaded to the user's PHR. This allows patients to collect and manage their own health data, but even more importantly, to share the data with various healthcare professionals involved in their treatment.
Another important trend in healthcare is that the delivery of healthcare has been gradually extended from acute institutional care to outpatient care and home care. Advances in information and communication technologies have enabled remote healthcare services (telehealth) including telemedicine and remote patient monitoring to be developed. A number of services in the market already deploy telehealth infrastructures where the measurement devices are connected via home hubs to remote backend servers. Health care providers use this architecture to remotely access the measurement data and help the patients. Examples are disease management services (such as Philips Motiva and PTS) or emergency response services (Philips Lifeline).
Interoperability of measurement devices, home hubs and backend services becomes very important for enabling and further growth of this market. This need is recognized by the Continua health alliance. As shown in FIG. 1, this initiative standardizes protocols between measurement devices, home hub (application hosting) devices, online healthcare/wellness services (WAN) and health record devices (PHRs/EHRs). Next to data format and exchange issues, Continua is also addressing security and safety issues.
One of the basic security problems in the domain of telehealth is the problem of user and device authentication/identification. Namely, when data remotely measured by patients is used by telehealth services or in the medical professional world, the healthcare providers need to place greater trust in information that patients report. In particular, the service providers have to be satisfied that a measurement is coming from the right patient, and that appropriate device was used to take the measurement. Considering, for example, a blood pressure measurement, it is crucial to know that the blood pressure of a registered user is measured (not of his friends or children), and that the measurement was taken by a certified device and not a cheap fake device. This is very important, because there can be critical health care decisions made based on wrong data. So, user authenticity and device authenticity must be supported. This has the benefits of patient safety (diagnosis and health decisions are based on reliable data with established data provenance), reduction of costs (reuse of patient provided data in the consumer health and the professional healthcare domain is supported as data is reliable) an convenience for the patient (they can take healthcare measurements at home)
In current practice, a device identifier (device ID) is either used as a user identifier (user ID) or as a means to derive a user ID (if multiple users are using the same device). For example, in Continua, as described in Continua Health Alliance, “Recommendations for Proper User Identification in Continua Version 1—PAN and xHR interfaces” (Draft v.01) December 2007, at the PAN interface (see FIG. 1), each Continua device is required to send its own unique device ID. The user ID is optional (and can be just simple as 1, 2, A, B). The valid user ID is obtained at the hub device (application hosting device) which can provide mapping between a simple user ID associated with a device ID to a valid user ID. There might be also measurement devices that can send a valid user ID next to the device ID. Then the mapping is not needed.
There are several problems with this current approach. Firstly, the current approach does not support authentication of users/devices, it only appends the user ID to the measurement. Data origin is not established, as a healthcare provider later in the process cannot securely find which device was used to create the measurement. Secondly, the current mapping approach does not quickly associate the user and device ID, but it introduces room for mistakes. Either a user makes an unintended mistake (if manual mapping is required—the user has to select his ID at application hosting device or measurement device for each measurement) or system can mix the users (the application designer should take special care to provide data management in a way to reduce the potential for associating measurements to the wrong user). Thirdly, a malicious user can introduce wrong measurements by impersonating the real user.